Archive

Though not as sexy as MPLS and IPSec VPN, Cable Modem and DSL seem like an important topic for the exam. The natural focus for this chapter is PPPoE and PPPoA but the more I read about it, the more I understand how much emphasis Cisco put on this sub-topic and since exam day is looming I cannot allow myself to ignore it.

I will go over the major components of the cable system and layout the provisioning of cable modem.

Components of Cable System

There are five basic components:

Antenna site – this is where we receive TV signals (from either antenna or dish).

Headend site – this is where TV signal is converted for distribution to the end users.
Here we also convert data for transport to\from users.

Transportation network – this is where the antenna site and headend get connected.
It can use either a coaxial or a fiber cable.

Distribution network – this is how signals are carried between the user and transportation network.
Feeder cables connect the distribution network to the subscriber drops.

Subscriber drops – this is where the distribution network connects with the customer equipment, the cable box.

DOCSIS, Data Over Cable Service Interface Specifications is the world standard that defines Layer 1 and 2 (physical and data) requirements.

Around the world there are three major standards for TV systems:
NTSC – Analog standard used in North America. 6MHz channel width
PAL – Color TV standard used in most of the world. 6, 7,8MHz channel width.
SECAM – Standard used in France. 8MHz channel width

DSL types:

ADSL, Asymmetric Digital Subscriber Line has a large download bandwidth and smaller upload bandwidth. It has a 18,000 feet limit and can coexist with POTS (Plain Old Telephone Service)
Signal loss over distance is sometimes called Attenuation.
ADSL POTS splitter is installed at the headend side.
The splitter pass the ADSL traffic to the modem and block voice frequencies from the modem (and that is how we can use both internet and phone at the same time)
The splitter also pass the voice frequencies to POTS device and block ADSL traffic from POTS device.

I was walking from work to the train on 42nd between 5th and 6th Ave (if it is not obvious, I’m talking about Manhattan) and like many other days a group of people, I would say late teens to early twenties tried to catch my attention for a short conversation. They work for non-profits like Greenpeace and try to interest you with saving the world – donate some money theme. Don’t get me wrong here, when I see a good cause in which I believe I would open my heart and pull my wallet (though today’s trend is texting) but I would never give my Credit Card details to a bunch of strangers in the middle of the street!

Going back to my question, I looked at one guy who stopped and pulled his CC and the only thing I could think of was Intrusion Prevention. Yes, it is kind of geeky but this guy had no firewall on his wallet and I suspect his next statement would be his IDS but like a good IDS it would be too late to prevent the damage!

Things only got worse when I got to the station and pulled my ISCW notes. Not only it was geeky but my HaniDokuapp felt betrayed (sad but true…)

I plan spending few days this weekend going over the book and updating the notes as I have a better picture of the exam and the labs requirements. I’ll update the file under ISCW page by the end of the weekend.

I could also use your help. Download the file, go over my notes and if you think I’m wrong, missed something or need to add information on certain topics, comment here or email me and I’ll use your comments on the revised version.

Most of the posts summarize my studies after a completion of a topic I’ve been working on. This approach both helps me to organize my thoughts about the materials and keep my commitment to you as high as possible.

Now that I’ve finished watching all the videos and reading the book (both volumes), I’m ready to move forward and start the 2nd phase of my studies which include two parallel tasks: Lab & Memorize Definitions.

Memorize Definitions is as simple as it gets: I read all my notes and make sure I remember the acronyms and can explain what they stand for. I also make sure I know the order of important processes (like forming a VPN connection or configuring AAA).
Though this part look simple I’m not good at memorizing so it’s not fun.

LAB is the fun part which sometime gets difficult but is always challenging and usually more interesting than the memorizing part.
In this post I will give details on my ISCW lab equipment.

Guidelines:

Use equipment that simulates the topics as they show in the exam. Buying more or better does not help passing the exam.

Try to use existing equipment – lucky me, I have some spare routers and switches at the office which I can use for this lab. If you have to buy, eBay is your friend.

Whenever possible, use live equipment. I prefer spending my money on a rented rack then buying a simulator (though they are almost as good)

ISCW requires later IOS version (12.4 and later). There a reason Cisco make this note so do not use older IOS versions as it can cost you few questions!
The routers should support the following feature sets if you want a complete exam supported environment:
IP/FW/IDS/Plus IPSEC 3DES
Advanced IP Services
Advanced Security

ISCW doesn’t need too much. 3-4 routers can do the work because unlike BSCI or BCMSN this exam does not use routing protocols in a way that require testing propagation.

I have 3 2600XM’s available for my lab. That is a good start as they support Advanced IP Services & Advanced Security.
While I’m covered for two of the three sets, I could also use 1801 or 1841 as cheap alternatives that also support these features or 877 that support all the above.

The 3rd feature which I feel is the most important for the exam is IPSEC 3DES. 3640 support this feature but since I do not have one (I have one old 3620 that is useless here) I will use something similar (though not identical) – Cisco PIX.
I have a spare PIX firewall in a working test environment where I can “play” with the configuration and create as many VPN tunnels as I want. Going over the exam materials I think it will offer all the options that ISCW cover and more. If you have to buy a router 3640 is relatively cheap and this is an important topic (both for the exam and life) so this is not the right place to save few bucks.
Another inexpensive option is getting a couple of 1710s with VPN Module. They come with 2 Ethernet interfaces, run IOS 12.4 and cost way below $100 on eBay.

Tip: How can you tell if the router you have\buy support the required features?
Use the Cisco Feature Navigator tool. Use it before you buy anything and make sure you get the right router. Not only you’ll waste your money on a router that cannot provide, you’ll waste precious practice time and this is more valuable than the cost of the router!

Additional information:
I found this document on the Cisco Learning Network, it uses 3 2811s for to simulate HQ, Branch & ISP. The suggested lab topology is good and I’ll use it as my reference while building my lab.

Good MPLS lab with config sample is available on this Pearson document.

The table below lists all the valid ways to become certified. Note the expiration date of the options using ISCW and ONT. Candidates in the process of obtaining their CCNP, who wish to certify before the new TSHOOT exam becomes required, must pass all the required exams on or before July 31 2010. After July 31, 2010, all CCNP candidates will be required to pass the TSHOOT exam.

CCNP =

BCSI + BCMSN + ISCW + ONT (Last day July 31, 2010)

CCNP =

COMP + ISCW + ONT (Last day July 31, 2010)

CCNP =

BCSI + SWITCH + ISCW + ONT (Last day July 31, 2010)

CCNP =

ROUTE + BCMSN + ISCW + ONT (Last day July 31, 2010)

CCNP =

ROUTE + SWITCH + ISCW + ONT (Last day July 31, 2010)

CCNP =

BSCI + BCMSN + TSHOOT

CCNP =

COMP + TSHOOT

CCNP =

BSCI + SWITCH + TSHOOT

CCNP =

ROUTE + BCMSN + TSHOOT

CCNP =

ROUTE + SWITCH + TSHOOT

There is an official announcement here though it doesn’t show yet on the main CCNP page. More information on the announced changes can be found here.
You can now mark July 31 as the focal point, the end of the road for the current track.
The one thing that does come out from this new information is that even if you fail to complete all 4 exams by July 31 you will not lose everything. The only catch is ISCW & ONT being bundled for the TSHOOT exam but BCMSN and BSCI will count for a new track exam. not a bad deal.

Only 197 days left to complete my CCNP

Update: on Jan 21st I noticed that Cisco removed the answers from their site. You can still see the original post that I recovered with Google Cached

Update: on Jan 25th Cisco released the official announcement. check all the details here

The Device Hardening chapter ﻿is loooong and very detailed. If you’re coming off your CCNA exam you will be familiar with many of the subjects with the difference being the level of details.

The first part review management protocols, their security weaknesses and ways to better secure them. Going over SNMP, NTP and SSH I found it a funny coincidence that an upgrade of our time-server was due at the same week, using NTP v3 based solution…
I use Domain Time II, a time sync software that provide time synchronization for the network and detailed reports and audit capabilities for the compliance officer. So here is the real life connection to my study materials 🙂

I found the Network Attacks topic very interesting but the details, oh the details. Though I was familiar with most of the attacks and their capabilities it surprised how many versions and counter attack options are there. I will definitely have to watch that video again and read the related paragraphs in the book, I bet those details will be in the exam.
One question I couldn’t answer is why was the word Reconnaissance chosen over Spying? it is such a weird name for a network attack…

Using ASA & PIX I get to work with ASDM many times. It was nice to see that Cisco allow many of the CLI commands in SDM and after the earlier VPN configuration that proved to be much easier using SDM on both ends of the connection, AutoSecure add to the SDM value. Using AutoSecure to test the network is a great tool even if you’re not going to fix it and fixing problems is easy and intuitive.

Out of this whole list of attacks and their solutions I found one new topic, something I never saw in the real world and as long as I work in the small to mid-size organizations sphere, I do not think I’ll ever see: Role-Based CLI
Creating Views and Superviews remind me of Active Directory where you can place few different groups into one bigger group and each of these groups can join different groups.
Views are sets of commands that can be assigned to a user.
Superview is a group of Views that can be assigned to a user as a package.
If you find this topic interesting you can check this configuration example.

Two weeks later and I can start thinking about exam dates. I’m not there yet but as I get closer to the end of the reading, watching and summarizing, I know that for this exam only few selected topics require a full comprehensive second review.
My plan for the coming long weekend is to finish the last topics and start working on my lab. I’ll have to figure out which way to go with the lab and will post my setup in the coming days

I was able to complete the IPSec VPN chapter over the weekend. It is good because I am still within the work frame I set for myself and it is encouraging.

After the GRE topic completion I still had a long way with 2 subjects:
High Availability which is mostly HSRP
EasyVPN via SDM which does take a big portion of both the video and the book but it is mostly intuitive screen shots of SDM’s easy to use (and familiar) GUI.

While I found this (long) chapter very familiar both in theory and my hand-on experience, It surprised me how different the two videos are.
In my First week summary I promised to share my insight on those differences between Jeremy Cioara’s CBT Nuggets (aka CBT) and Chris Bryant’s Train Signal (aka TS) video.
Here they are:Video breakdown – TS has 3 long parts for the video compare with 6 easier to digest parts on the CBT video. I found it mostly significant with the concepts part which is the most complicated part of this topic.

Study book computability – While CBT run in the same order as the book, TS change both the order and emphasis of the different topics in this chapter. This was mostly noticed with GRE where CBT had a dedicated video and TS only spent few minutes on this topic.
Which way is better? Maybe I’ll get my answer on exam day but personally it make my life easier since I write my notes through the video and then read the book and follow the same notes in the same order. It is a time-saving issue.

Fun to watch (and mostly listen) – I know it is not a beauty contest and we do not see either guys but Chris Bryant walk you through the TS video with the serious face while Jeremy Cioara create a happy environment and bring life to the video, as much as possible with a couple of routers. Usually you would fall asleep or at least count the minutes left for the video, Jeremy’s video won’t let you!

MPLS – One word on the previous chapter, which summarize all the above. The CBT explanation was fun, very easy to comprehend and although it was the one topic I wasn’t familiar with I felt relaxed at the end knowing that labels are my friends.

I think it is clear that after watching the two, I am a Jeremy Cioara fan. Go Jeremy!

Today I started the Device Hardening chapter which include many familiar topics like NTP, SSH and Banners followed by SYN-Flooding and other attacks that would wait for later this week.

Tomorrow (which is actually today as it is past midnight) I take the day off to celebrate my birthday and hopefully I’ll get back Wednesday with full speed to finish the first round of video and book review by the end of this week.